Our resident digital privacy expert Doug Crawford sat down with Harold Li, Vice President of ExpressVPN to discuss how they are staying relevant, trustworthy and transparent in an ever-evolving industry.
We love the fact that audits such as your Cure53 browser extension audit are helping bring transparency to the VPN industry. Why do you think this is so important?
When users choose a VPN, they’re trusting that service with their online privacy and security. We take that trust and responsibility incredibly seriously, and we hope everyone else in the VPN industry does as well. Transparency is one way to help users determine who they can trust, enabling them to see for themselves whether a service lives up to its promises. We believe that anything that helps internet users make more informed decisions when choosing a VPN ultimately makes the internet more private and secure for all.
Are you happy with the results of the results of the audits?
Yes, we’re glad to have received independent validation that our browser extension provides strong security and privacy protections – as the Cure53 reports notes, their findings were “a good security indicator.” Additionally, we’re always grateful to get feedback on where we could improve, and are pleased we were able to work with Cure53 to promptly address the issues that they did identify.
Are you planning technical audits for your main VPN clients? We understand this could be expensive, as presumably, each platform would need to be independently audited?
Yes, in fact, we regularly conduct audits and penetration tests to validate and strengthen security and privacy protections. This audit is the first one we’ve published, and we do plan on publishing more independent audits in the near future.
In our view, the logs a VPN company keeps presents a much bigger threat to users’ privacy than any theoretical flaws in technical security. Do you agree and does ExpressVPN have any plans for having its logging practices audited in the future?
A leaky VPN is arguably a greater threat than a VPN that logs, as leaks affect every user (who otherwise assumes their network data is secure) and expose them to a wide range of threats, while the collection of logs primarily affects only those users whose information is requested under court order. At ExpressVPN, we do not collect activity logs or connection logs, and that has actually been validated in the real world through incidents such as when Turkish authorities seized a VPN server leased by ExpressVPN in a high profile case but could not find any server logs that would enable them to identify a culprit. We do have plans for further independent validation of this in the future – stay tuned!
Can you explain why open sourcing your code is so important?
As mentioned in our announcement post, a key reason we did this stems from the way extensions work. The extensive set of permissions needed by an extension to operate can seem alarming when requested by your browser. (For example, one permission warns that the extension can read and change all your data on the websites you visit.) These permissions are necessary to deliver all the privacy and security functions of a VPN as well as added benefits, such as malware protection. By open-sourcing our extension, we’re inviting anyone to look under the hood and confirm that we are using these permissions responsibly and only for the reasons we have given.
Do you plan to open source all your code in the future?
As noted above, there are specific reasons that it was particularly relevant for our extension. We may open source other parts of our code (not limited to apps and extensions, but also to VPN servers) in specific areas where we think it’s relevant and beneficial.
We are very big fans of open source code in general, but when it comes to VPNs are somewhat unclear about its value. After all, a VPN provider can always monitor users’ behavior on the internet in real-time when using its service. So would there be any point in adding malicious closed source code into a client or browser extension, as they can see everything, anyway? So... why do you feel there is value in open sourcing the extension?
For the extension, there were specific benefits as highlighted above. It’s absolutely true that transparency in any given area is not a panacea when it comes to trusting a VPN provider – but it can help validate the security and privacy protections of a specific piece of the service, as well as provide a positive indicator for the trustworthiness of a service overall.
We applaud that you are working with the Center for Democracy and Technology to raise standards for all VPNs across the industry. Can you tell us more about this initiative?
Yes, the Center for Democracy and Technology (CDT) is an independent non-profit organization that champions online civil liberties and human rights around the world. We worked with them to launch a cross-industry initiative to raise standards across the industry and empower users to make more informed decisions when choosing a VPN. This took the form of a list of questions that VPN services should be able to answer to signal their trustworthiness. These questions, together with guidance from the CDT, help users evaluate VPN providers based on their business models, data collection practices, security protocols, and more.
I like to think of it as a nutrition label for VPNs, providing a baseline set of facts you can compare across various services. And just as a nutrition label can help you determine which snack labeled “healthy” truly is better for you, these questions and answers enable you to better judge whether a VPN service that boasts “industry-leading security” truly deserves that label.
What has the response to this been like from the rest of the VPN industry?
We’ve had a lot of positive feedback from industry observers, such as journalists and reviewers, as well as from users. We haven’t heard from other providers, but we absolutely hope they will join us in our efforts to increase trust and transparency in the industry!